b"   AUDIT OF COMPLIANCE WITH STANDARDS\n  GOVERNING COMBINED DNA INDEX SYSTEM\nACTIVITIES AT THE BALTIMORE COUNTY POLICE\n      DEPARTMENT CRIME LABORATORY\n       BALTIMORE COUNTY, MARYLAND\n\n\n\n\n         U.S. Department of Justice\n       Office of the Inspector General\n                Audit Division\n\n\n        Audit Report GR-30-11-002\n                March 2011\n\x0c  AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING\n   COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n       BALTIMORE COUNTY POLICE DEPARTMENT\n                 CRIME LABORATORY\n            BALTIMORE COUNTY, MARYLAND\n\n                            EXECUTIVE SUMMARY\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Baltimore County\nPolice Department Crime Laboratory (Laboratory).\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS program combines\nforensic science and computer technology to provide an investigative tool to\nfederal, state, and local crime laboratories in the United States, as well as\nthose from select international law enforcement agencies. The CODIS\nprogram allows these crime laboratories to compare and match DNA profiles\nelectronically to assist law enforcement in solving crimes and identifying\nmissing or unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS, as\nwell as develops, supports, and provides the program to crime laboratories\nto foster the exchange and comparison of forensic DNA evidence.\n\n      The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. The hierarchy consists of three distinct\nlevels that flow upward from the local level to the state level and then, if\nallowable, the national level. The National DNA Index System (NDIS), the\nhighest level in the hierarchy, is managed by the FBI as the nation\xe2\x80\x99s DNA\ndatabase containing DNA profiles uploaded by law enforcement agencies\nacross the United States. NDIS enables the laboratories participating in the\nCODIS program to electronically compare DNA profiles on a national level.\nThe State DNA Index System (SDIS) is used at the state level to serve as a\nstate\xe2\x80\x99s DNA database containing DNA profiles from local laboratories and\n\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cstate offenders. The Local DNA Index System (LDIS) is used by local\nlaboratories.\n\nOIG Audit Objectives\n\n      Our audit generally covered the period from November 2008 through\nDecember 2010. The objectives of our audit were to determine if: (1) the\nBaltimore County Police Department Crime Laboratory was in compliance\nwith the NDIS participation requirements; (2) the Laboratory was in\ncompliance with the Quality Assurance Standards (QAS) issued by the FBI;\nand (3) the Laboratory\xe2\x80\x99s forensic DNA profiles in CODIS databases were\ncomplete, accurate, and allowable for inclusion in NDIS.\n\n       Our review determined the following.\n\n   \xe2\x80\xa2   The Laboratory was in compliance with NDIS participation\n       requirements we reviewed, including: physical and electronic\n       security of CODIS; up-to-date training for Laboratory personnel;\n       maintenance of training and qualification records; and timeliness\n       of NDIS matches.\n\n   \xe2\x80\xa2   The Laboratory was in compliance with Quality Assurance\n       Standards (QAS) we reviewed, including: the most recent\n       internal and external QAS reviews; physical security of the\n       Laboratory; retention of evidence; and analysis performed by an\n       outsourced contractor.\n\n   \xe2\x80\xa2   We reviewed 100 of 538 forensic profiles the Laboratory had\n       uploaded to NDIS as of November 15, 2010. Of the 100 forensic\n       profiles sampled, we found that 98 of the sampled forensic\n       profiles were complete, accurate, and allowable for inclusion in\n       NDIS. We had concerns based on case file information that two\n       profiles in our sample may not have met the NDIS allowability\n       guidelines. The Laboratory agreed that one of the profiles was\n       unallowable because of its tenuous link to a putative perpetrator,\n       and was uncomfortable with the inclusion of another; both were\n       subsequently removed from NDIS.\n\n      The results of our audit are discussed in detail in the Findings section\nof the report. Our audit objectives, scope, and methodology are detailed in\nAppendix I of the report and the audit criteria are detailed in Appendix II.\nWe discussed the results of our audit with Laboratory officials and have\nincluded their comments in the report as applicable.\n\n\n\n                                     - ii -\n\x0c                                TABLE OF CONTENTS\n\n                                                                                        Page\nINTRODUCTION ................................................................................ 1\n\n   Background ..................................................................................... 1\n\n   OIG Audit Objectives ........................................................................ 1\n\n   Legal Foundation for CODIS ............................................................... 2\n\n   CODIS Structure .............................................................................. 2\n\n   Laboratory Information ..................................................................... 6\n\nFINDINGS ......................................................................................... 7\n\n   I.    Compliance with NDIS Participation Requirements .......................... 7\n\n   II.   Compliance with Quality Assurance Standards ............................... 9\n\n   III. Suitability of Forensic DNA Profiles in CODIS Databases................ 12\n\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ................ 15\n\nAPPENDIX II: AUDIT CRITERIA ...................................................... 18\n\nAPPENDIX III: FEDERAL BUREAU OF INVESTIGATION\n  RESPONSE TO DRAFT REPORT .................................................... 22\n\n\n\n\n                                                 1\n\x0c  AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING\n   COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n       BALTIMORE COUNTY POLICE DEPARTMENT\n                 CRIME LABORATORY\n            BALTIMORE COUNTY, MARYLAND\n\n                                 INTRODUCTION\n\n      The Department of Justice Office of the Inspector General, Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Baltimore County\nPolice Department Crime Laboratory (Laboratory).\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS provides an\ninvestigative tool to federal, state, and local crime laboratories in the United\nStates using forensic science and computer technology. The CODIS program\nallows these laboratories to compare and match DNA profiles electronically,\nthereby assisting law enforcement in solving crimes and identifying missing\nor unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS and is\nresponsible for its use in fostering the exchange and comparison of forensic\nDNA evidence.\n\nOIG Audit Objectives\n\n      Our audit generally covered the period from November 2008 through\nDecember 2010. The objectives of our audit were to determine if: (1) the\nBaltimore County Police Department Crime Laboratory was in compliance\nwith the National DNA Index System (NDIS) participation requirements;\n(2) the Laboratory was in compliance with the Quality Assurance Standards\n(QAS) issued by the FBI; and (3) the Laboratory\xe2\x80\x99s forensic DNA profiles in\nCODIS databases were complete, accurate, and allowable for inclusion in\nNDIS. Appendix I contains a detailed description of our audit objectives,\nscope, and methodology; and Appendix II contains the criteria used to\nconduct the audit.\n\n\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cLegal Foundation for CODIS\n\n      The FBI\xe2\x80\x99s CODIS program began as a pilot project in 1990. The DNA\nIdentification Act of 1994 (Act) authorized the FBI to establish a national\nindex of DNA profiles for law enforcement purposes. The Act, along with\nsubsequent amendments, has been codified in a federal statute (Statute)\nproviding the legal authority to establish and maintain NDIS. 2\n\nAllowable DNA Profiles\n\n      The Statute authorizes NDIS to contain the DNA identification records\nof persons convicted of crimes, persons who have been charged in an\nindictment or information with a crime, and other persons whose DNA\nsamples are collected under applicable legal authorities. Samples voluntarily\nsubmitted solely for elimination purposes are not authorized for inclusion in\nNDIS. The Statute also authorizes NDIS to include analysis of DNA samples\nrecovered from crime scenes or from unidentified human remains, as well as\nthose voluntarily contributed from relatives of missing persons.\n\nAllowable Disclosure of DNA Profiles\n\n       The Statute requires that NDIS only include DNA information that is\nbased on analyses performed by or on behalf of a criminal justice agency \xe2\x80\x93\nor the U.S. Department of Defense \xe2\x80\x93 in accordance with QAS issued by the\nFBI. The DNA information in the index is authorized to be disclosed only:\n(1) to criminal justice agencies for law enforcement identification purposes;\n(2) in judicial proceedings, if otherwise admissible pursuant to applicable\nstatutes or rules; (3) for criminal defense purposes, to a defendant who shall\nhave access to samples and analyses performed in connection with the case\nin which the defendant is charged; or (4) if personally identifiable\ninformation (PII) is removed for a population statistics database, for\nidentification research and protocol development purposes, or for quality\ncontrol purposes.\n\nCODIS Structure\n\n       The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. CODIS consists of a hierarchy of three\ndistinct levels: (1) NDIS, is managed by the FBI as the nation\xe2\x80\x99s DNA\ndatabase containing DNA profiles uploaded by participating states, (2) the\nState DNA Index System (SDIS) is used at the state level to serve as a\nstate\xe2\x80\x99s DNA database containing DNA profiles from local laboratories within\n\n      2\n          42 U.S.C.A. \xc2\xa7 14132 (2006).\n\n\n                                        2\n\x0cthe state and state offenders, and (3) the Local DNA Index System (LDIS),\nused by local laboratories. DNA profiles originate at the local level and then\nflow upward to the state and, if allowable, national level. For example, the\nlocal laboratory in the Palm Beach County, Florida, Sheriff\xe2\x80\x99s Office sends its\nprofiles to the state laboratory in Tallahassee, which then uploads the\nprofiles to NDIS. Each state participating in CODIS has one designated SDIS\nlaboratory. The SDIS laboratory maintains its own database and is\nresponsible for overseeing NDIS issues for all CODIS-participating\nlaboratories within the state. The graphic below illustrates how the system\nhierarchy works.\n\n                    Example of System Hierarchy within CODIS\n\n\n                                              NDIS\n                                   Maintained by the FBI\n\n\n\n\nSDIS                            SDIS                             SDIS\nLaboratory                      Laboratory                       Laboratory\nRichmond, CA                    Springfield, IL                  Tallahassee, FL\n\n\n\n                                  LDIS Laboratories (partial list):\n                                  DuPage County Sheriff\xe2\x80\x99s Office\n                                  Illinois State Police, Chicago\n                                  Illinois State Police, Rockford\n\n LDIS Laboratories (partial list):                       LDIS Laboratories (partial list):\n Orange County Sheriff\xe2\x80\x99s Department                      Broward County Sheriff\xe2\x80\x99s Office\n San Bernardino County Sheriff\xe2\x80\x99s Department              Miami-Dade Police Department\n San Diego Police Department                             Palm Beach County Sheriff\xe2\x80\x99s Office\n\n\n\n\n                                                  3\n\x0cNational DNA Index System\n\n       NDIS, the highest level in the CODIS hierarchy, enables laboratories\nparticipating in the CODIS program to electronically compare DNA profiles on\na national level. NDIS does not contain names or other PII about the\nprofiles. Therefore, matches are resolved through a system of laboratory-\nto-laboratory contacts. Within NDIS are eight searchable indices discussed\nin the following paragraphs:\n\n   \xe2\x80\xa2   Convicted Offender Index contains profiles generated from persons\n       convicted of qualifying offenses. 3\n\n   \xe2\x80\xa2   Arrestee Index is comprised of profiles developed from persons who\n       have been arrested, indicted, or charged in an information with a\n       crime.\n\n   \xe2\x80\xa2   Legal Index consists of profiles that are produced from DNA samples\n       collected from persons under other applicable legal authorities. 4\n\n   \xe2\x80\xa2   Detainee Index consists of DNA records from non-United States (U.S.).\n       persons detained under the authority of the U.S. and required by law\n       to provide a DNA sample.\n\n   \xe2\x80\xa2   Forensic Index profiles originate from, and are associated with,\n       evidence found at crime scenes.\n\n   \xe2\x80\xa2   Missing Person Index contains known DNA profiles of missing persons\n       and deduced missing persons.\n\n   \xe2\x80\xa2   Unidentified Human (Remains) Index holds profiles from unidentified\n       living individuals and the remains of unidentified deceased individuals. 5\n\n   \xe2\x80\xa2   Relatives of Missing Person Index is comprised of DNA profiles\n       generated from the biological relatives of individuals reported missing.\n\n\n\n\n       3\n          The phrase \xe2\x80\x9cqualifying offenses\xe2\x80\x9d refers to local, state, or federal crimes that\nrequire a person to provide a DNA sample in accordance with applicable laws.\n       4\n         An example of a Legal Index profile is one from a person found not guilty by\nreason of insanity who is required by the relevant state law to provide a DNA sample.\n       5\n           An example of an Unidentified Human (Remains) Index profile from a living person\nis a profile from a child or other individual, who cannot or refuses to identify themselves.\n\n\n                                               4\n\x0c      Although CODIS is comprised of multiple indices or databases, the two\nmain functions of the system are to: (1) generate investigative leads that\nmay help in solving crimes and (2) identify missing and unidentified persons.\n\n       The Forensic Index generates investigative leads in CODIS that may\nhelp solve crimes. Investigative leads may be generated through matches\nbetween the Forensic Index and other indices in the system, including the\nConvicted Offender, Arrestee, and Legal Indices. These matches may\nprovide investigators with the identity of suspected perpetrators. CODIS\nalso links crime scenes through matches between Forensic Index profiles,\npotentially identifying serial offenders.\n\n      In addition to generating investigative leads, CODIS furthers the\nobjectives of the FBI\xe2\x80\x99s National Missing Person DNA Database program\nthrough its ability to identify missing and unidentified individuals. Those\npersons may be identified through matches between indicies in CODIS, such\nas through matches between the profiles in the Missing Person Index and\nthe Unidentified Human (Remains) Index. Identifications may also be\ngenerated through matches between the Missing Persons Index and the\nRelatives of Missing Persons Index. The profiles within the Missing Person\nand Unidentified Human (Remains) Indices may be vetted against the\nForensic, Convicted Offender, Arrestee, and Legal Indices to provide\ninvestigators with leads in solving missing and unidentified person cases.\n\nState and Local DNA Index Systems\n\n       The FBI provides CODIS software free of charge to any state or local\nlaw enforcement laboratory performing DNA analysis. Laboratories are able\nto use the CODIS software to upload profiles to NDIS. However, before a\nlaboratory is allowed to participate at the national level and upload DNA\nprofiles to NDIS, a Memorandum of Understanding (MOU) must be signed\nbetween the FBI and the applicable state\xe2\x80\x99s SDIS laboratory. The MOU\ndefines the responsibilities of each party, includes a sublicense for the use of\nCODIS software, and delineates the standards laboratories must meet in\norder to utilize NDIS. Although officials from LDIS laboratories do not sign\nan MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory\nare required to adhere to the MOU signed by the SDIS laboratory.\n\n\n\n\n                                       5\n\x0c       States are authorized to upload DNA profiles to NDIS based on local,\nstate, and federal laws, as well as NDIS regulations. However, states or\nlocalities may maintain NDIS-restricted profiles in SDIS or LDIS. For\ninstance, a local law may allow for the collection and maintenance of a\nvictim profile at LDIS but NDIS regulations do not authorize the upload of\nthat profile to the national level.\n\n       The utility of CODIS relies upon the completeness, accuracy, and\nquantity of profiles that laboratories upload to the system. Incomplete\nCODIS profiles are those for which the required number of core loci were not\ntested or do not contain all of the DNA information that resulted from a DNA\nanalysis and may not be searched at NDIS. 6 The probability of a false match\namong DNA profiles is reduced as the completeness of a profile increases.\nInaccurate profiles, which contain incorrect DNA information or an incorrect\nspecimen number, may generate false positive leads, false negative\ncomparisons, or lead to the misidentification of a sample. CODIS becomes\nmore useful as the quantity of DNA profiles in the system increases because\nthe potential for additional leads rises. However, laws and regulations\nexclude certain types of profiles from being uploaded to CODIS to prevent\nviolations to an individual\xe2\x80\x99s privacy and foster the public\xe2\x80\x99s confidence in\nCODIS. Therefore, it is the responsibility of the Laboratory to ensure that it\nis adhering to the NDIS participation requirements and the profiles uploaded\nto CODIS are complete, accurate, and allowable for inclusion in NDIS.\n\nLaboratory Information\n\n      The Baltimore County Police Department Crime Laboratory\n(Laboratory) is a Local DNA Indexing System (LDIS) laboratory located in\nTowson, Maryland. The Laboratory, which analyzes forensic samples, has\nbeen a part of the CODIS program since December 2001, and currently\nserves over 780,000 residents living in Baltimore County. It last received\naccreditation in December 2009 through the American Society of Crime\nLaboratory Directors/Laboratory Accreditation Board, and is due for renewal\nin 2014. In addition, since 2003, the Laboratory has outsourced work to\nBode Technology through a contract run by Maryland State Police.\n\n\n\n\n      6\n          A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n\n\n                                               6\n\x0c                               FINDINGS\n\n      I. Compliance with NDIS Participation Requirements\n\n      The Baltimore County Police Department Crime Laboratory was\n      in compliance with NDIS participation requirements we reviewed,\n      including: physical and electronic security of CODIS; up-to-date\n      training for Laboratory personnel; maintenance of training and\n      qualification records; and timeliness of NDIS matches.\n\n      The NDIS participation requirements, which consist of the MOU and\nthe NDIS Procedure Manual, establish the responsibilities and obligations of\nlaboratories that participate in the CODIS program at the national level. The\nMOU describes the CODIS-related responsibilities of both the Laboratory and\nthe FBI. The NDIS Procedure Manual is comprised of the NDIS operational\nprocedures and provides detailed instructions for laboratories to follow when\nperforming certain procedures pertinent to NDIS. The NDIS participation\nrequirements we reviewed are listed in Appendix II of this report.\n\nResults of the OIG Audit\n\n      We found that the Laboratory complied with the NDIS participation\nrequirements we reviewed. Specifically, security measures were adequate,\nLaboratory personnel were up to date with training requirements and\nrequired documentation, and the NDIS procedures manual was readily\navailable and accessible to all CODIS users. These results are described in\nmore detail below.\n\n  \xe2\x80\xa2   NDIS requires that CODIS be physically and electronically safeguarded\n      from unauthorized use and accessible to limited approved personnel.\n      We conducted a walk through tour of the Biology Unit of the\n      laboratory, which is separately key-coded and can only be accessed by\n      personnel in the Biology Unit. The CODIS workstation is within the\n      biology Unit, and each CODIS user has a unique password.\n      Furthermore, the CODIS server is stored in a server room on a\n      separate floor of the building. Following both the walk through tour\n      and the interviews of Laboratory management and personnel, we\n      found the security measures, both physical and electronic,\n      safeguarding the CODIS work area to be adequate.\n\n\n\n\n                                     7\n\x0c  \xe2\x80\xa2   All Laboratory personnel were able to verify the location of the hard\n      copy of the NDIS Procedures Manual, in addition to being able to\n      access the Criminal Justice Information System Wide Area Network.\n\n  \xe2\x80\xa2   We contacted the FBI to verify that all Laboratory CODIS users were\n      up-to-date with training. All four CODIS users have completed NDIS\n      training for 2010, and matched the list provided by the Laboratory.\n\n  \xe2\x80\xa2   We verified that all Laboratory CODIS users submitted FBI required\n      documentation for access to CODIS.\n\n  \xe2\x80\xa2   We reviewed the Laboratory procedures in its Quality Assurance\n      Manual (QAM) for maintaining personnel training and qualification\n      records, and found that records are maintained on-site for a minimum\n      of 5 years and off-site for a minimum of 10 years. In discussions with\n      the Laboratory, the Laboratory manager told us that the personnel\n      records are kept indefinitely.\n\n  \xe2\x80\xa2   We selected and analyzed a sample of NDIS matches and found that\n      the Laboratory requested confirmation of matches, confirmed matches,\n      and reported matches to investigators in a timely manner.\n\nConclusion\n\n   We found the Laboratory to be in compliance with the NDIS participation\nrequirements. Therefore, we made no recommendations concerning our\nreview of the NDIS participation requirements.\n\n\n\n\n                                      8\n\x0c   II. Compliance with Quality Assurance Standards\n\n       We determined the Laboratory to be in compliance with Quality\n       Assurance Standards (QAS) we reviewed, including: the most\n       recent internal and external QAS reviews; physical security of\n       the Laboratory; retention of evidence; and analysis performed\n       by an outsourced contractor.\n\n       During our audit, we considered the Forensic Quality Assurance\nStandards (QAS) issued by the FBI. 7 These standards describe the quality\nassurance requirements that the Laboratory must follow to ensure the\nquality and integrity of the data it produces. We also assessed the two most\nrecent QAS reviews that the Laboratory underwent. 8 The QAS we reviewed\nare listed in Appendix II.\n\nResults of the OIG Audit\n\n     We found that the Laboratory complied with the Forensic QAS tested.\nThese results are described in more detail below.\n\n   \xe2\x80\xa2   We verified that QAS reviews of the Laboratory were conducted. The\n       Laboratory had an external QAS review performed in October 2009\n       and an internal QAS review in November 2010. This is in accordance\n       with QAS Standard 15, which directs laboratories to have a review\n       performed every year, but once every 2 years must undergo an\n       external review.\n\n   \xe2\x80\xa2   We analyzed both the above mentioned QAS reviews, and found that\n       neither made any findings.\n\n   \xe2\x80\xa2   We contacted the external QAS reviewer from the 2009 QAS review\n       and received a signed auditor independence statement for the period\n       in question.\n\n\n\n       7\n         Forensic Quality Assurance Standards refer to the Quality Assurance Standards for\nForensic DNA Testing Laboratories, effective July 1, 2009.\n       8\n          The QAS require that laboratories undergo annual audits. Every other year, the\nQAS requires that the audit be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These audits\nare not required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we will refer to the QAS audits as reviews (either an internal\nlaboratory review or an external laboratory review, as applicable) to avoid confusion with\nour audits that are conducted in accordance with GAS.\n\n\n                                             9\n\x0c\xe2\x80\xa2   We toured the Laboratory and found that access to the facility is\n    limited to the public, with police personnel posted at the entrance.\n    Additionally, the Laboratory is housed on its own floor in which access\n    is limited to only designated personnel. All doors in the building\n    require key card access, and all visitors require an escort.\n\n\xe2\x80\xa2   We reviewed the policies and procedures regarding evidence security\n    and during our tour of the Laboratory, we were given a walkthrough of\n    the evidence control process. We found the security of evidence and\n    chain of custody to be acceptable. Furthermore, the Laboratory has\n    adequate procedures in place to ensure accurate entry into LDIS.\n\n\xe2\x80\xa2   We reviewed the policies and procedures the Laboratory implements\n    regarding the separation of known and unknown DNA samples in\n    accordance with the QAS standards. According to the Laboratory\xe2\x80\x99s\n    Quality Assurance Manual (QAM), as well as its personnel, the\n    processing of known and unknown samples are to be separated by\n    space or time. The samples are completed at different times, which\n    we find to meet the standards outlined in the QAS.\n\n\xe2\x80\xa2   We discussed the policies and procedures regarding retention of DNA\n    samples after analysis with Laboratory personnel and reviewed\n    Laboratory protocols, which we found to be in compliance with the\n    QAS. The Laboratory retains DNA evidence when possible, and full\n    consumption of a sample requires permission from the State\xe2\x80\x99s\n    Attorney\xe2\x80\x99s Office. Furthermore, evidence is kept long term in the\n    Laboratory\xe2\x80\x99s Evidence Maintenance Unit.\n\n\xe2\x80\xa2   We found that the Laboratory has outsourced work to Bode Technology\n    Group (Bode) through a contract with the Maryland State Police. We\n    received accreditation and audit documentation for Bode for relevant\n    years. The Laboratory provided contracts for Bode; we reviewed the\n    contracts and did not note any requirements that were not met.\n\n\n\n\n                                   10\n\x0c  \xe2\x80\xa2   We talked with Laboratory personnel who told us that 100 percent of\n      Bode work has documentation in the case files indicating a technical\n      review was performed. Furthermore, the Laboratory has contractors\n      sign statements of compliance with QAS every year, and documents\n      proficiency testing for all Bode analysts who analyze cases. During our\n      review of Laboratory profiles, which included contracted cases, we\n      found technical review documentation for all files.\n\n  \xe2\x80\xa2   We reviewed the site visit documentation for Bode for the last 2 years.\n      The Laboratory provided documentation for the 2010 site visit it\n      conducted, and a 2008 site visit conducted by the Maryland State\n      Police. The Laboratory explained it was exempt from the 2009 site\n      visit requirement because its contract was in place prior to the July\n      2009 QAS document. They supplemented the 2008 documentation\n      with a review of the 2009 Bode QAS review. Our review found the site\n      visits contained no issues, and the QAS review to have three issues,\n      which were addressed and closed.\n\nConclusion\n\n      We found the Laboratory to be in compliance with Quality Assurance\nStandards (QAS) we reviewed, including: the most recent internal and\nexternal QAS reviews; physical security of the Laboratory; retention of\nevidence; and oversight of analysis performed by an outsourced contractor.\nTherefore, we made no recommendations concerning the Laboratory\xe2\x80\x99s\nadherence to QAS.\n\n\n\n\n                                     11\n\x0cIII. Suitability of Forensic DNA Profiles in CODIS Databases\n\n      We reviewed 100 forensic profiles uploaded to NDIS by the\n      Baltimore County Police Department Crime Laboratory and\n      determined 98 profiles were complete, accurate, and allowable\n      for inclusion in NDIS. We had concerns about the allowability of\n      two profiles uploaded into NDIS. The Laboratory agreed that\n      one of the profiles was unallowable in accordance with NDIS\n      guidelines because it did not have an adequate link to the\n      putative perpetrator, and was uncomfortable with the inclusion\n      of another; both profiles were subsequently removed from NDIS.\n\n       We reviewed a sample of the Laboratory\xe2\x80\x99s Forensic DNA profiles to\ndetermine whether each profile was complete, accurate, and allowable for\ninclusion in NDIS. 9 To test the completeness and accuracy of each profile,\nwe established standards that require a profile include all the loci for which\nthe analyst obtained results, and that the values at each locus match those\nidentified during analysis. 10 Our standards are described in more detail in\nAppendix II of this report.\n\n       The FBI\xe2\x80\x99s NDIS operational procedures establish the DNA data\nacceptance standards by which laboratories must abide. The FBI also\ndeveloped a flowchart as guidance for the laboratories for determining what\nis allowable in the forensic index at NDIS. Laboratories are prohibited from\nuploading forensic profiles to NDIS that clearly match the DNA profile of the\nvictim or another known person that is not a suspect. A profile at NDIS that\nmatches a suspect may be allowable if the contributor is unknown at the\ntime of collection; however, NDIS guidelines prohibit profiles that match a\nsuspect if the suspect\xe2\x80\x99s DNA could reasonably have been expected to be on\nan item at the crime scene or part of the crime scene independent of the\ncrime. For instance, a profile from an item seized from the suspect\xe2\x80\x99s person,\nsuch as a shirt, or that was in the possession of the suspect when collected\nis generally not a forensic unknown and would not be allowable for upload to\nNDIS. The NDIS procedures we reviewed are listed in Appendix II of this\nreport.\n\n\n\n\n      9\n         When a laboratory\xe2\x80\x99s universe of DNA profiles in NDIS exceeds 1,500, our sample is\ntaken from SDIS rather than directly from NDIS. See Appendix I for further description of\nthe sample selection.\n      10\n           A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n\n\n                                              12\n\x0cResults of the OIG Audit\n\n       We selected a sample of 100 profiles out of the 538 forensic profiles\nthe Laboratory had uploaded to NDIS as of November 15, 2010. Of the 100\nforensic profiles sampled, we had concerns about the allowability for two\nprofiles based on NDIS guidelines. The remaining profiles sampled were\ncomplete, accurate, and allowable for inclusion in NDIS. The specific\nexceptions are explained in more detail below.\n\nOIG Sample Number CA-22\n\n       Sample CA-22 was taken from a baseball cap found at the exterior\nentrance to an apartment building in which a homicide occurred. We\nfollowed up with the Laboratory regarding the location of the cap as\ncompared to the victim. We were provided a statement from the detective\non the case, who stated that the cap was found outside the apartment\nbuilding doors, and not the specific doors to the apartment where the crime\nwas committed. Considering the location of the hat in relation to the crime\nscene, we did not consider it to be attributable to the putative perpetrator in\naccordance with NDIS guidelines and found the profile to be unallowable for\nupload into NDIS. The Laboratory agreed with the finding and removed the\nprofile.\n\nOIG Sample Number CA-75\n\n       Sample CA-75 was taken from a gun allegedly used in a robbery and\nattempted murder. The gun was found in a laundry basket located in the\nbasement of the victim\xe2\x80\x99s apartment building. The basket was found in a\ncommunity laundry room after detectives provided a warrant and searched\nthe premises. At the time of the recovery, the suspect was adjacent to the\nlaundry basket containing the gun. We noted that the suspect's proximity to\nthe gun when it was recovered may have indicated that it was in his\npossession, thereby indicating it may be reasonable to assume that the\nsuspect\xe2\x80\x99s DNA might be on the weapon. We requested additional\ninformation on the profile and Laboratory personnel noted that the case file\ndid not clearly distinguish whether the laundry basket the gun was found in\nwas communal property (possibly containing DNA from persons unrelated to\nthe crime), or the property of the suspect (whose DNA could reasonably be\npresent). The Laboratory stated it was uncomfortable with the profile\xe2\x80\x99s\ninclusion in NDIS and subsequently removed it.\n\n\n\n\n                                      13\n\x0cConclusion\n\n      We reviewed 100 forensic profiles the Laboratory had uploaded to\nNDIS and found two that, based on the facts of the case, had questionable\nallowability in accordance with NDIS guidelines. The Laboratory removed\nboth profiles. The remaining profiles were accurate, complete, and\nallowable. As such, we made no recommendations concerning our review of\nForensic DNA profiles.\n\n\n\n\n                                   14\n\x0c                                                                         APPENDIX I\n\n             OBJECTIVES, SCOPE, AND METHODOLOGY\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n      Our audit generally covered the period from November 2008 through\nDecember 2010. The objectives of the audit were to determine if the:\n(1) Laboratory was in compliance with the NDIS participation requirements;\n(2) Laboratory was in compliance with the Quality Assurance Standards\n(QAS) issued by the FBI; and (3) Laboratory\xe2\x80\x99s forensic DNA profiles in\nCODIS databases were complete, accurate, and allowable for inclusion in\nNDIS. To accomplish the objectives of the audit, we:\n\n   \xe2\x80\xa2   Examined internal and external Laboratory QAS review reports and\n       supporting documentation for corrective action taken, if any, to\n       determine: (a) if the Laboratory complied with the QAS, (b) whether\n       repeat findings were identified, and (c) whether recommendations were\n       adequately resolved.11\n\n       In accordance with the QAS, the internal and external laboratory review\n       procedures are to address, at a minimum, a laboratory\xe2\x80\x99s quality\n       assurance program, organization and management, personnel\n       qualifications, facilities, evidence control, validation of methods and\n       procedures, analytical procedures, calibration and maintenance of\n       instruments and equipment, proficiency testing of analysts, corrective\n       action for discrepancies and errors, review of case files, reports, safety,\n       and previous audits. The QAS require that internal and external reviews\n       be performed by personnel who have successfully completed the FBI\xe2\x80\x99s\n       training course for conducting such reviews.\n\n\n       11\n            The QAS require that laboratories undergo annual audits. Every other year, the\nQAS requires that the audit be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These audits\nare not required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we refer to the QAS audits as reviews (either internal or\nexternal laboratory reviews, as applicable) to avoid confusion with our audits that are\nconducted in accordance with GAS.\n\n\n                                            15\n\x0c       As permitted by GAS 7.42 (2007 revision), we generally relied on the\n       results of the Laboratory\xe2\x80\x99s external laboratory review to determine if\n       the Laboratory complied with the QAS. 12 In order to rely on the work\n       of non-auditors, GAS requires that we perform procedures to obtain\n       sufficient evidence that the work can be relied upon. Therefore, we:\n       (1) obtained evidence concerning the qualifications and independence\n       of the individuals who conducted the review and (2) determined that\n       the scope, quality, and timing of the audit work performed was\n       adequate for reliance in the context of the current audit objectives by\n       reviewing the evaluation procedure guide and resultant findings to\n       understand the methods and significant assumptions used by the\n       individuals conducting the reviews. Based on this work, we\n       determined that we could rely on the results of the Laboratory\xe2\x80\x99s\n       external laboratory review.\n\n   \xe2\x80\xa2   Interviewed Laboratory officials to identify management controls,\n       Laboratory operational policies and procedures, Laboratory certifications\n       or accreditations, and analytical information related to DNA profiles.\n\n   \xe2\x80\xa2   Toured the Laboratory to observe facility security measures as well as\n       the procedures and controls related to the receipt, processing,\n       analyzing, and storage of forensic evidence.\n\n   \xe2\x80\xa2   Reviewed the Laboratory\xe2\x80\x99s written policies and procedures related to\n       conducting internal reviews, resolving review findings, expunging DNA\n       profiles from NDIS, and resolving matches among DNA profiles in NDIS.\n\n   \xe2\x80\xa2   Reviewed supporting documentation for 10 of 15 NDIS matches to\n       determine whether they were resolved in a timely manner. The\n       Laboratory provided the universe of NDIS matches as of December 2,\n       2010. The sample was judgmentally selected to include both case-to-\n       case and case-to-offender matches. This non-statistical sample does\n       not allow projection of the test results to all matches.\n\n       Reviewed supporting documentation to determine whether the\n       Laboratory provided adequate vendor oversight. Reviewed the case files\n       for selected forensic DNA profiles to determine if the profiles were\n       developed in accordance with the Forensic QAS and were complete,\n       accurate, and allowable for inclusion in NDIS.\n\n       12\n           We also considered the results of the Laboratory\xe2\x80\x99s internal laboratory review, but\ncould not rely on it because it was not performed by personnel independent of the\nLaboratory. Further, as noted in Appendix II, we performed audit testing to verify\nLaboratory compliance with specific Quality Assurance Standards that have a substantial\neffect on the integrity of the DNA profiles uploaded to NDIS.\n\n\n                                             16\n\x0c      Working in conjunction with the contractor used by the FBI to maintain\n      NDIS and the CODIS software, we obtained an electronic file identifying\n      the 538 Short Tandem Repeat forensic profiles the Laboratory had\n      uploaded to NDIS as of November 15, 2010. We limited our review to a\n      sample of 100 profiles. This sample size was determined judgmentally\n      because preliminary audit work determined that risk was not\n      unacceptably high.\n\n  \xe2\x80\xa2   Using the judgmentally-determined sample size, we randomly selected a\n      representative sample of labels associated with specific profiles in our\n      universe to reduce the effect of any patterns in the list of profiles\n      provided to us. However, since the sample size was judgmentally\n      determined, the results obtained from testing this limited sample of\n      profiles may not be projected to the universe of profiles from which the\n      sample was selected.\n\n      The objectives of our audit concerned the Laboratory's compliance with\nrequired standards and the related internal controls. Accordingly, we did not\nattach a separate statement on compliance with laws and regulations or a\nstatement on internal controls to this report. See Appendix II for detailed\ninformation on our audit criteria.\n\n\n\n\n                                     17\n\x0c                                                                       APPENDIX II\n\n                                AUDIT CRITERIA\n\n      In conducting our audit, we considered the NDIS participation\nrequirements and the Quality Assurance Standards (QAS). However, we did\nnot test for compliance with elements that were not applicable to the\nLaboratory. In addition, we established standards to test the completeness\nand accuracy of DNA profiles as well as the timely notification of DNA profile\nmatches to law enforcement.\n\nNDIS Participation Requirements\n\n       The NDIS participation requirements, which consist of the\nMemorandum of Understanding (MOU) and the NDIS operational procedures,\nestablish the responsibilities and obligations of laboratories that participate\nin NDIS. The MOU requires that NDIS participants comply with federal\nlegislation and the QAS, as well as NDIS-specific requirements\naccompanying the MOU in the form of appendices. We focused our audit on\nspecific sections of the following NDIS operational procedures.\n\n   \xe2\x80\xa2   DNA Data Acceptance Standards\n   \xe2\x80\xa2   DNA Data Accepted at NDIS\n   \xe2\x80\xa2   Quality Assurance Standards (QAS) Reviews\n   \xe2\x80\xa2   NDIS DNA Autosearches\n   \xe2\x80\xa2   Confirm an Interstate Candidate Match\n   \xe2\x80\xa2   General Responsibilities\n   \xe2\x80\xa2   Initiate and Maintain a Laboratory\xe2\x80\x99s Participation in NDIS\n   \xe2\x80\xa2   Security Requirements\n   \xe2\x80\xa2   CODIS Users\n   \xe2\x80\xa2   CODIS Administrator Responsibilities\n   \xe2\x80\xa2   Access to, and Disclosure of, DNA Records and Samples\n   \xe2\x80\xa2   Upload of DNA Records\n   \xe2\x80\xa2   Expunge a DNA Record\n   \xe2\x80\xa2   The FBI Flowchart: A Guide to Determining What is Allowable in the\n       Forensic Index at NDIS 13\n\n\n\n\n       13\n          The FBI Flowchart is guidance issued to NDIS-participating laboratories separate\nfrom the MOU and NDIS operational procedures. The flowchart is contained in the 2010\nCODIS Administrator\xe2\x80\x99s Handbook and has been provided to laboratories in referendums\nsuch as CODIS conferences.\n\n\n                                            18\n\x0cQuality Assurance Standards\n\n      The FBI issued two sets of Quality Assurance Standards (QAS): QAS\nfor Forensic DNA Testing Laboratories, effective July 1, 2009 (Forensic QAS);\nand QAS for DNA Databasing Laboratories, effective July 1, 2009 (Offender\nQAS). (The Forensic QAS and the Offender QAS describe the quality\nassurance requirements that the Laboratory should follow to ensure the\nquality and integrity of the data it produces.)\n\n       For our audit, we generally relied on the reported results of the\nLaboratory\xe2\x80\x99s most recent annual external review to determine if the\nLaboratory was in compliance with the QAS. Additionally, we performed\naudit work to verify that the Laboratory was in compliance with the QAS\nlisted below because they have a substantial effect on the integrity of the\nDNA profiles uploaded to NDIS.\n\n   \xe2\x80\xa2   Facilities (Forensic QAS and Offender QAS 6.1): The laboratory shall\n       have a facility that is designed to ensure the integrity of the analyses\n       and the evidence.\n\n   \xe2\x80\xa2   Evidence Control (Forensic QAS 7.1): The laboratory shall have and\n       follow a documented evidence control system to ensure the integrity of\n       physical evidence. Where possible, the laboratory shall retain or return\n       a portion of the evidence sample or extract.\n\n   \xe2\x80\xa2   Sample Control (Offender QAS 7.1): The laboratory shall have and\n       follow a documented sample inventory control system to ensure the\n       integrity of database and known samples.\n\n   \xe2\x80\xa2   Analytical Procedures (Forensic QAS and Offender QAS 9.5): The\n       laboratory shall monitor the analytical procedures using [appropriate]\n       controls and standards.\n\n   \xe2\x80\xa2   Review (Forensic QAS 12.1): The laboratory shall conduct\n       administrative and technical reviews of all case files and reports to\n       ensure conclusions and supporting data are reasonable and within the\n       constraints of scientific knowledge.\n\n       (Offender QAS Standard 12.1): The laboratory shall have and follow\n       written procedures for reviewing DNA records and DNA database\n       information, including the resolution of database matches.\n\n\n\n\n                                       19\n\x0c  \xe2\x80\xa2   [Reviews] (Forensic QAS and Offender QAS 15.1 and 15.2): The\n      laboratory shall be audited annually in accordance with [the QAS]. The\n      annual audits shall occur every calendar year and shall be at least 6\n      months and no more than 18 months apart.\n\n      At least once every two years, an external audit shall be conducted by\n      an audit team comprised of qualified auditors from a second\n      agency(ies) and having at least one team member who is or has been\n      previously qualified in the laboratory\xe2\x80\x99s current DNA technologies and\n      platform.\n\n  \xe2\x80\xa2   Outsourcing (Forensic QAS and Offender QAS Standard 17.1): A vendor\n      laboratory performing forensic and database DNA analysis shall comply\n      with these Standards and the accreditation requirements of federal law.\n\n      Forensic QAS 17.4: An NDIS participating laboratory shall have and\n      follow a procedure to verify the integrity of the DNA data received\n      through the performance of the technical review of DNA data from a\n      vendor laboratory.\n\n      Offender QAS Standard 17.4: An NDIS participating laboratory shall\n      have, follow and document appropriate quality assurance procedures to\n      verify the integrity of the data received from the vendor laboratory\n      including, but not limited to, the following: Random reanalysis of\n      database, known or casework reference samples; Inclusion of QC\n      samples; Performance of an on-site visit by an NDIS participating\n      laboratory or multi-laboratory system outsourcing DNA sample(s) to a\n      vendor laboratory or accepting ownership of DNA data from a vendor\n      laboratory.\n\nOffice of the Inspector General Standards\n\n       We established standards to test the completeness and accuracy of\nDNA profiles as well as the timely notification of law enforcement when DNA\nprofile matches occur in NDIS. Our standards are listed below.\n\n  \xe2\x80\xa2   Completeness of DNA Profiles: A profile must include each value\n      returned at each locus for which the analyst obtained results. Our\n      rationale for this standard is that the probability of a false match\n      among DNA profiles is reduced as the number of loci included in a\n      profile increases. A false match would require the unnecessary use of\n      laboratory resources to refute the match.\n\n\n\n\n                                     20\n\x0c\xe2\x80\xa2   Accuracy of DNA Profiles: The values at each locus of a profile must\n    match those identified during analysis. Our rationale for this standard\n    is that inaccurate profiles may: (1) preclude DNA profiles from being\n    matched and, therefore, the potential to link convicted offenders to a\n    crime or to link previously unrelated crimes to each other may be lost;\n    or (2) result in a false match that would require the unnecessary use\n    of laboratory resources to refute the match.\n\n\xe2\x80\xa2   Timely Notification of Law Enforcement When DNA Profile Matches\n    Occur in NDIS: Laboratories should notify law enforcement personnel\n    of NDIS matches within 2 weeks of the match confirmation date,\n    unless there are extenuating circumstances. Our rationale for this\n    standard is that untimely notification of law enforcement personnel\n    may result in the suspected perpetrator committing additional, and\n    possibly more egregious, crimes if the individual is not deceased or\n    already incarcerated for the commission of other crimes.\n\n\n\n\n                                   21\n\x0c                                                                                 APPENDIX III\n\n             THE FEDERAL BUREAU OF INVESTIGATION\n                RESPONSE TO THE DRAFT REPORT\n                                                        U.S. Department of Justice\n\n\n                                                        Federal Bureau of Investigation\n\n\n\n\n                                                        Washington, D. C. 20535-0001\n\n\n\n                                                     March 15, 2011\n\n\nTroy M. Meyer\nRegional Audit Manager\nWashington Regional Audit Office\nOffice of the Inspector General\n1300 North 17th Street\nSuite 3400\nArlington, VA 22209\n\n\nDear Mr. Meyer:\n\n               Your memorandum to Director Mueller forwarding the draft audit report for the\nBaltimore County Police Department Crime Laboratory, Towson, Maryland (Laboratory), has\nbeen referred to me for response.\n\n               Your draft report contained no recommendations relating to the Laboratory's\ncompliance with the FBI\xe2\x80\x99s Memorandum of Understanding and Quality Assurance Standards for\nDNA Testing Laboratories. The CODIS Unit reviewed the draft report and since it appears that\nthe Laboratory is in compliance with NDIS participation requirements, the CODIS Unit has no\nsignificant comments to provide about the draft report.\n\n                Thank you for sharing the draft audit report with us. If you have any questions,\nplease feel free to contact Jennifer Luttman, Chief of the CODIS Unit, at (703) 632-8315.\n\n                                                    Sincerely,\n\n\n                                                     Alice R. Isenberg, Ph.D\n                                                     Section Chief\n                                                     Biometrics Analysis Section\n                                                     FBI Laboratory\n\n\n\n\n                                               22\n\x0c"